From 6410c70f7caa5045e2f12ebd7aab8d8b6d3e6a0b Mon Sep 17 00:00:00 2001
From: bogdanvlviv <bogdanvlviv@gmail.com>
Date: Thu, 17 Jan 2019 20:10:01 +0000
Subject: Ensure that AR::Relation#exists? allows only permitted params

Clarify changelog entry
Related to #34891
---
 activerecord/CHANGELOG.md                            | 8 ++++----
 activerecord/test/cases/finder_test.rb               | 8 ++++++--
 activerecord/test/support/stubs/strong_parameters.rb | 8 +++++++-
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index e987a0e279..508ad4c204 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,10 +1,10 @@
-*   Set polymorphic type column to NULL on `dependent: :nullify` strategy. 
-    
+*   Set polymorphic type column to NULL on `dependent: :nullify` strategy.
+
     On polymorphic associations both the foreign key and the foreign type columns will be set to NULL.
-    
+
     *Laerti Papa*
 
-*   Allow `ActionController::Params` as argument of `ActiveRecord::Base#exists?`.
+*   Allow permitted instance of `ActionController::Parameters` as argument of `ActiveRecord::Relation#exists?`.
 
     *Gannon McGibbon*
 
diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
index 1c53362bac..b8ce11a791 100644
--- a/activerecord/test/cases/finder_test.rb
+++ b/activerecord/test/cases/finder_test.rb
@@ -226,11 +226,15 @@ class FinderTest < ActiveRecord::TestCase
   end
 
   def test_exists_with_strong_parameters
-    assert_equal false, Subscriber.exists?(Parameters.new(nick: "foo"))
+    assert_equal false, Subscriber.exists?(Parameters.new(nick: "foo").permit!)
 
     Subscriber.create!(nick: "foo")
 
-    assert_equal true, Subscriber.exists?(Parameters.new(nick: "foo"))
+    assert_equal true, Subscriber.exists?(Parameters.new(nick: "foo").permit!)
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Subscriber.exists?(Parameters.new(nick: "foo"))
+    end
   end
 
   def test_exists_passing_active_record_object_is_not_permitted
diff --git a/activerecord/test/support/stubs/strong_parameters.rb b/activerecord/test/support/stubs/strong_parameters.rb
index acba3a4504..84f93a28b9 100644
--- a/activerecord/test/support/stubs/strong_parameters.rb
+++ b/activerecord/test/support/stubs/strong_parameters.rb
@@ -3,10 +3,16 @@
 class Parameters
   def initialize(parameters = {})
     @parameters = parameters.with_indifferent_access
+    @permitted = false
   end
 
   def permitted?
-    true
+    @permitted
+  end
+
+  def permit!
+    @permitted = true
+    self
   end
 
   def to_h
-- 
cgit v1.2.3